Manage F5 BIG-IP FAST with Terraform (Part 3 - Manage multiple AWAF policies based on HTTP criteria)
The goal of this use case is to deploy a new HTTPS application with F5 BIG-IP Advanced Web Application Firewall policy on F5 BIG-IP device using F5 BIG-IP Application Services Templates Terraform resources. Web application firewall policies and pools will be applied based on hostname or uri path.
This configuration can be applied in a public cloud when there is only one public IP and you want to manage different applications and the associated Web Application Firewall policy. The selection can be based on hostname or uri.
Table of Content
- Table of Content
- Workflow to manage multiple AWAF policies and pools based on HTTP criteria
- Demo Video
- Resources
- Article Series
Workflow to manage multiple AWAF policies and pools based on HTTP criteria
First, create 4 files:
- main.tf
- variables.tf
- inputs.auto.tfvars
- providers.tf
variables.tf
variable "bigip" {}
variable "username" {}
variable "password" {}
variable "policyname" {
type = string
default = ""
}
variable "partition" {
type = string
default = "Common"
}
inputs.auto.tfvars
bigip = "10.1.1.9:443"
username = "admin"
password = "whatIsYourBigIPPassword?"
partition = "Common"
policyname = "myApp6_ltm_policy"
providers.tf
terraform {
required_providers {
bigip = {
source = "F5Networks/bigip"
version = ">= 1.16.0"
}
}
}
provider "bigip" {
address = var.bigip
username = var.username
password = var.password
}
main.tf
resource "bigip_waf_policy" "app1" {
provider = bigip
description = "WAF Policy for App1"
name = "app1"
partition = var.partition
template_name = "POLICY_TEMPLATE_RAPID_DEPLOYMENT"
application_language = "utf-8"
enforcement_mode = "blocking"
server_technologies = ["Apache Tomcat", "MySQL", "Unix/Linux"]
}
resource "time_sleep" "wait_a" {
create_duration = "10s"
depends_on = [bigip_waf_policy.app1, bigip_waf_policy.app2]
}
resource "time_sleep" "wait_b" {
create_duration = "10s"
depends_on = [bigip_waf_policy.restricted]
}
resource "bigip_waf_policy" "app2" {
provider = bigip
description = "WAF Policy for App2"
name = "app2"
partition = var.partition
template_name = "POLICY_TEMPLATE_RAPID_DEPLOYMENT"
application_language = "utf-8"
enforcement_mode = "blocking"
server_technologies = ["Apache Tomcat", "MySQL", "Unix/Linux", "MongoDB"]
}
resource "bigip_waf_policy" "restricted" {
provider = bigip
description = "WAF Policy for restricted areas"
name = "restricted"
partition = var.partition
template_name = "POLICY_TEMPLATE_RAPID_DEPLOYMENT"
application_language = "utf-8"
enforcement_mode = "blocking"
server_technologies = ["Apache Tomcat", "MySQL", "Unix/Linux", "MongoDB"]
depends_on = [time_sleep.wait_a]
}
resource "bigip_waf_policy" "default" {
provider = bigip
description = "desfault WAF Policy"
name = "default"
partition = var.partition
template_name = "POLICY_TEMPLATE_RAPID_DEPLOYMENT"
application_language = "utf-8"
enforcement_mode = "blocking"
server_technologies = ["Apache Tomcat", "MySQL", "Unix/Linux", "MongoDB"]
depends_on = [time_sleep.wait_b]
}
resource "bigip_ltm_pool" "pool1" {
provider = bigip
name = "/${var.partition}/pool1"
allow_nat = "yes"
allow_snat = "yes"
load_balancing_mode = "round-robin"
}
resource "bigip_ltm_pool_attachment" "pool1-member" {
pool = bigip_ltm_pool.pool1.name
node = "10.1.10.120:80"
}
resource "bigip_ltm_pool" "pool2" {
provider = bigip
name = "/${var.partition}/pool2"
allow_nat = "yes"
allow_snat = "yes"
load_balancing_mode = "round-robin"
}
resource "bigip_ltm_pool_attachment" "pool2-member" {
pool = bigip_ltm_pool.pool2.name
node = "10.1.10.121:80"
}
resource "bigip_ltm_pool" "pool_restricted" {
provider = bigip
name = "/${var.partition}/pool_restricted"
allow_nat = "yes"
allow_snat = "yes"
load_balancing_mode = "round-robin"
}
module "consolidated_vips" {
source = "github.com/f5devcentral/fast-terraform//multiple_waf_policies?ref=v1.0.0"
providers = {
bigip = bigip
}
name = var.policyname
partition = var.partition
rules = [
{
name = "WWW1_App"
hostname = ["www1.f5demo.com", "app1.f5demo.com"]
policy = bigip_waf_policy.app1.name
pool_name = bigip_ltm_pool.pool1.name
},
{
name = "WWW2_App"
hostname = ["www2.f5demo.com"]
policy = bigip_waf_policy.app2.name
pool_name = bigip_ltm_pool.pool2.name
},
{
name = "restricted"
path = ["/restricted", "/admin", "/hr"]
policy = bigip_waf_policy.restricted.name
pool_name = bigip_ltm_pool.pool_restricted.name
}]
default_policy = bigip_waf_policy.default.name
depends_on = [bigip_waf_policy.app1, bigip_waf_policy.app2, bigip_waf_policy.restricted, bigip_waf_pol
icy.default]
}
resource "bigip_fast_https_app" "this" {
application = "myApp6"
tenant = "scenario6"
virtual_server {
ip = "10.1.10.226"
port = 443
}
tls_server_profile {
tls_cert_name = "/Common/default.crt"
tls_key_name = "/Common/default.key"
}
snat_pool_address = ["10.1.10.50", "10.1.10.51", "10.1.10.52"]
endpoint_ltm_policy = ["${module.consolidated_vips.ltmPolicyName}"]
security_log_profiles = ["/Common/Log all requests"]
depends_on = [bigip_waf_policy.app1, bigip_waf_policy.app2, bigip_waf_policy.restricted, bigip_
waf_policy.default, module.consolidated_vips.ltmPolicyName]
}
here is how run it:
$ terraform init -upgrade
$ terraform plan -out scenario6
$ terraform apply "scenario6"
Demo Video
Resources
Terraform Registry documentation
Article Series
Manage F5 BIG-IP FAST with Terraform (Part 1 - Create multiple HTTP applications in the same tenant)
Manage F5 BIG-IP FAST with Terraform (Part 3 - Manage multiple AWAF policies based on HTTP criteria)
Published Nov 28, 2022
Version 1.0